Skip to main content

Exim TLS configuration

lautrivta
On all smtp ports, ie 25, 465 and 587 TLS is not PCI DSS compliant I need to remove TLS_RSA_WITH_IDEA_CBC_SHA TLS_RSA_WITH_CAMELLIA_256_CBC_SHA I have to add TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_GCM_SHA256 And I have to switch off CLIENT-INITIATED SECURE RENEGOTIATION . How this looks like as exim config lines?

Comments

4 comments

Date Votes
  • Eric
    Howdy, The easiest way to change this would be in WHM: WHM >> Service Configuration >> Exim Configuration Manager >> Advanced I think you're going to want to be around the tls_require_ciphers area. Thanks!
    0
  • lautrivta
    Thank you Eric, i tls_require_ciphers I have
    ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
    But my testscript (- Removed -) says two ciphers are missing for PCI DSS, which are listed above: TLS_RSA_WITH_AES_128_CBC_SHA AES128-SHA TLS_RSA_WITH_AES_128_GCM_SHA256 AES128-SHA256 And I should remove non PCI DSS compliant (102, 102, 102)]TLS_RSA_WITH_IDEA_CBC_SHA IDEA-CBC-SHA TLS_RSA_WITH_CAMELLIA_256_CBC_SHA CAMELLIA256-SHA which are not listetd. Maybe you have PCI DSS compliant tls_require_ciphers for cPanel 11.52 ? Thank you. Lautrivta
    0
  • lautrivta
    I am waiting for a reply to my question ! It does not matter, that cPanel exim is not PCI DSS compliant in 2016? I can't believe. I am afraid exim in cPanel is not making use of openssl libs, right?
    0
  • cPanelMichael
    Hello :) Could you attach an image of what your PCI Compliance scan is reporting? You may find the following thread helpful, as other users have reported the cipher entries they are using for Exim: I need to disable TLS v1.0 This document is also available: PCI Compliance and Software Versions - cPanel Knowledge Base - cPanel Documentation Thank you.
    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post